Share and Learn- SharePoint

Authentication in SharePoint 2013

Before a user can get to content, authentication and authorization happens. Authentication which happens before authorization is a process where user credentials are verified to get to the SharePoint server. After a user is authenticated then he/she can view the content for which they have permissions and this is Authorization.

There are two kinds of authentication Claims and Classic.

In Classic based Authentication SharePoint directly uses windows identity for authentication. But in claims a security token is passed on to the required service for authentication. Meaning you can overcome the double hop limitation using claims while using NTLM (discussed below). Also if you want to use Web Apps server, outlook then you have to use claims.

So we have established that claims is the way to go in SP 2013. Now lets discuss more types in claims.

While creating a new web app using claims you can select different types of claims

Windows authentication : You can using NTLM or Kerberos, basic authentication, digest authentication.

Forms based authentication: This type is usually used for out side user login. It is configured using ASP.NET membership provider. Meaning user with out active directory accounts should be able to authenticate.

SAML token based authentication : Any service which can issue SAML based tokens can be used to authentication.

SharePoint is a ASP.NET application and it uses Windows Identity Foundation and .NET Framework to implement claims infrastructure. This is accomplished using security token service application which can validate claims and also acts as identity provider. This service is configured by the SharePoint itself and user has no control to create or configure.

If you choose Windows Authentication while creating a web app then you have to select one of the options below

Integrated windows : NTLM or Kerberos

NTLM is most used authentication here as it is secure and easy to configure. User is a uthenticated in a challenge response fashion and the password in never sent over the network but hash of the password generated using one way hashing algorithm is used.

Kerberos: It is the default authentication used my Microsoft for windows login. This process involves generating encrypted ticket and authenticating using these Ticket granting server session keys. Passwords in any form are never sent across the network and the life time of the tickets is 10 hours by default so user no longer need to be authenticated during this time. This type of authentication would help over come the double hop issue. I would like to talk more about how kerberos works as it helps me understand the process better every time I think about it but there are some really well documented articles already available and I can not present the information any better. Please check out Kerberos explained or MIT, where it was created. Out of all available methods kerberos is the most secured form of authentication but it needs extra configuration steps.

Kerberos can be configured as basic or constrained delegation depending on your domain architecture. Basic will allow web apps to pass on the kerberos tickets to different domains with in the same AD forest but not across multiple forest boundaries. You can over come this with constrained delegation provided you have Windows server 2012.

Constrained delegation is not mandatory for SharePoint 2013 but it is highly recommended as the access to different service applications can be controlled. The following service application do need constrained delegation if you use Kerberos.

Anonymous users can access the site. This type is usually used for internet facing sites which disseminates information

Federated Authentication

It is used to configure a web app to authenticate users using third party credentials. For example you can authenticate clients, partners, etc using their organization credentials by using ADFS. Windows live ID or face book account can also be used to authenticate. As we discussed above SharePoint 2103 primary authentication is claims or you can say it is the only recommended authentication method, It supports multiple authentication methods on a single web application. So you reduce the over head of multiple zones or web applications in some cases.